Heartbleed bug & password reset etc.

Following on from the Heartbleed bug - see Heartbleed fallout for Apache - Infrastructure have reset all LDAP passwords just in case any were compromised.

To set up a new password, please visit https://id.apache.org/reset/enter.

This will send you an e-mail with a link that can be used to reset your password. The link will expire after 15 minutes, and will only work from the IP which you used to request the reset. It will be sent to your apache.org e-mail address.

Note that the e-mail will be encrypted with your public key(s) if you have supplied any.

If the web page says "encryption failed", then it is likely that one or more of your keys is invalid or has expired.

In which case, please visit https://www.apache.org/dev/infra-contact#regain-account

Decrypting the e-mail

Save the e-mail as a file (e.g. password.txt)

Use a command like the following to decrypt it:

gpg -d password.txt

This will display the decrypted mail in the console window.

Changes to server certificates

The server certificates for most ASF hosts were also replaced.

This will affect client services such as SVN and Mail (if you send via an ASF host)

SVN client cache

SVN caches certificates and (AFAIK) does not check for certificate revocation. To avoid potential MITM attacks using the old certificate, please ensure that you delete all cache entries using the old certificate.

See Heartbleed fallout for Apache

Once you have deleted the cache entries, you will need to tell SVN to allow the updated certificate.

Please check that the new server certificate has the following fingerprint

The following Unix command will remove all cached entries for apache.org hosts:

% grep -l apache.org ~/.subversion/auth/svn.ssl.server/* | xargs rm

Deleting the cache certs on Windows systems:

Subversion normally stores its data under %APPDATA%\Subversion so the cached certs will be at: %APPDATA%\Subversion\auth\svn.ssl.server

Open a DOS box and change to the directory:

cd %APPDATA%\Subversion\auth\svn.ssl.server

A DIR command should show several files with names consisting of 32 hex characters, and no others.

To list the names of files containing "apache.org", run the following command:

for /F %a in ('findstr /m /i "apache.org" *') do @echo %a

If the output looks OK - i.e. it shows a subset of the file names in the directory - you can change the command to delete the matching files:

for /F %a in ('findstr /m /i "apache.org" *') do @del %a

Email certificate renewal on MacOS X

System configuration: - OS X 10.9.2 - Mail.app 7.2

If this is your configuration, try the following steps:

- Open keychain and locate the certificate for "people.apache.org", delete it
- Open terminal and fetch current certificate for people.apache.org":
$ SSLHOST=people.apache.org
$ openssl s_client -showcerts -connect $SSLHOST:465 < /dev/null 2> /dev/null | openssl x509 -outform PEM > $SSLHOST.pem
$ open $SSLHOST.pem
- the last command imports the certificate into the keychain - choose the "login" keychain
- after the import is complete, open the certificate in the keychain again by double-click and fix trust settings (trust all)
- restart Mail.app

HeartBleed (last edited 2014-04-16 09:43:20 by SebastianBazley)